Mumbai: Multiple government organizations, including the cyber cell of the Mumbai Police’s crime branch, the ministry of finance and the government’s cybersecurity arm Computer Emergency Response Team-India (CERT-In), are aggressively looking into the largest reported data breach India’s banking system has experienced so far.

The extent of the breach is not yet fully known though one agency put the number of compromised cards as high as 6.5 million.

After reports of a data breach in 3.2 million debit cards surfaced, the cyber cell of Mumbai Police’s crime branch on Friday stepped into the investigation, taking cognizance of the issue on its own. The cell has sought information and data from the National Payments Council of India (NPCI) and the Reserve Bank of India in this connection, said a senior official.

“No complaint has come to us for a formal investigation; but initial examination suggests 6.5 million cards have been compromised,” said Brijesh Singh, Special IG-Cyber, Maharashtra Police.

“We have also sought a full report from NPCI,” Singh added. He didn’t reveal the source of the 6.5 million figure.

However, at the bank level, there is no clarity on the kind of data that was stolen.

“It is still unclear what kind of customer data has been breached into; that is what the investigation has to confirm. According to what we know, only card details, PIN and customer phone numbers can be stolen from an ATM; but we don’t know if any other bank data has been compromised. From initial reports, the damage seems small, but we will be able to better assess it after the (SISA Information Security ) report comes out in November,” said a banker aware of these developments.

Mint reported on Friday that NPCI, Visa, Mastercard, the banks involved and Hitachi Payment Services had called for a forensic probe by SISA Information Security Pvt. Ltd last month.

Separately, the ministry of finance has sought a detailed report from banks and RBI on all aspects of the debit card fraud, even as it received a preliminary report, said Shaktikanta Das, secretary, department of economic affairs.

“The government is seized of the matter. We have sought a report from RBI and banks. After receiving the reports, necessary action will be taken by the government,” Das said, adding that the reports will contain all aspects of the fraud.

Das said the integrity of banks’ information technology systems is very robust and the government will take “whatever action is required”, adding that there is no need for alarm.

“We have sought a report on the debit card fraud. The idea is to be able to contain the damage post findings of the report,” said finance minister Arun Jaitley.

After media reports of the debit card data breach, CERT-In sent a report to the government listing the steps it has taken so far, said an official in the ministry of electronics and information technology.

The cybersecurity agency has written to State Bank of India, Axis Bank and HDFC Bank asking for information about the incident, said the report viewed by Mint.

On 19 October, CERT-In had, along with the National Critical Information Infrastructure Protection Centre, sent a mail to the chief information security officers of banks about a rise in the instances of fraud being carried out through bank ATMs by using malware, the cybersecurity agency’s report said.

CERT-In in July sent out an alert on planned cyber attacks on banks’ information infrastructure. Subsequently, it had alerted banks on 12 August and 24 August about “backdoor Trojans which steal credentials of users and... advanced targeted attacks, along with the indicators of compromise for the banks to take action”, the report said.